SECURE PARAMETER GENERATING DEVICE AND PARAMETER 
GENERATING METHOD IN ALGEBRAIC CURVE CRYPTOGRAPHY 

PACKGI^OUNDS QF THg INVENTION 
FIELD OF THE INVENTION 

The present invention relates to a secure 
parameter generating device, a generating method, and a 
storing medium in a discrete logarithm cryptography 
(hereinafter, referred to an algebraic curve 
cryptography), and more particularly to a secure 
parameter generating device and its generating method in 
a discrete logarithm cryptography using Jacobian group 
of algebraic curve. 

DESCRIPTION QF THE RELATED ART 

A discrete logarithm cryptography is a public 
key system based on the difficulty of a discrete 
logarithm problem on a given finite field. In order to 
keep the security of cryptography, the order of the 
finite field must be almost a prime number, that is, a 
factor of small integer and large integer. The algebraic 
curve cryptography that is one of the discrete logarithm 
cryptography needs to use an algebraic curve such that 
the order of the Jacobian group is almost a prime number. 

In the case of an elliptic curve that is the 
simplest algebraic curve, an efficient algorithm of 
calculating the order of the Jacobian group over any 
elliptic curve is known. The detailed description is 



shown in, for example, "Counting points on elliptic 
curves over finite fields". Journal de Theorie des 
Nombres, de Bordeaux 7 (1995), 219-254, Institue de 
Mathematique de Bordeaux, written by Rene Schoof . The 
elliptic curve such that the order of the Jacobian group 
is almost a prime factor can be obtained as follows, by 
using the above algorithm. 

1. Generate a random elliptic curve E. 

2. Calculate the order n of the Jacobian group 

of E. 

3. If n is almost a prime number, output E; 
otherwise, return to !• 

In the case of an algebraic curve other than an 
elliptic curve, no efficient algorithm of calculating 
the order of the Jacobian group is known except for one 
hyper-elliptic curve. Therefore, the algebraic curve 
which can be used in the algebraic curve cryptography is 
limited to an elliptic curve or one exceptional hyper 
elliptic curve. 

As for the h-fold operation of the elements in 
the Jacobian group, "Software Installation of Discrete 
Logarithm Cryptography Using C^^ curve" written by Arita, 
Yoshikawa, and Miyauchi, pp. 573-578, Security Symposium 
on Cryptography and Information in 1999, is known. 

Further, the technique disclosed in Japanese 
Patent Publication Laid-Open (Kokai) No. Heisei 6-282226 



comprises a step of selecting any prime number, storing 
an encryption key corresponding to the prime number into 
the public file device, generating a decoding key list 
corresponding to the prime number and the encryption key, 
and storing the decoding key list together with the 
prime number into a decoder, wherein an encoder obtains 
a public key of a receiver (decoder) from the public 
file, to multiply the plaintext on an elliptic curve, 
its value is sent to the decoder as a cryptogram, and 
the decoder computes a parameter of the elliptic curve 
from the cryptogram and selects a decoding key 
corresponding to the parameter by use of the decoding 
key list, thereby obtaining the plaintext from the value 
obtained by multiplying the cryptogram by the elliptic 
curve, using Chinese residue theorem. 

The above mentioned conventional technique 
limits the usable algebraic curves to an elliptic curve 
or one of exceptional hyper-elliptic curve. Since the 
elliptic curve and the hyper-elliptic curve are 
extremely particular algebraic curve from the viewpoint 
of the whole algebraic curves and this narrows the 
target for cryptanalysis , there arises a security 
problem of an algebraic curve cryptography. 

SUMMARY OF THE INVENTION 

An object of the present invention is to make it 
possible to use a higher and complicated algebraic curve 
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which couldn't be used, for an algebraic curve 
cryptography, and to provide a secure parameter 
generating device in an algebraic curve cryptography for 
improving the security of the algebraic curve 
cryptography . 

Further, another object of the present invention 
is to make it possible to use a higher and complicated 
algebraic curve which couldn't be used, for an algebraic 
curve cryptography, and to provide a secure parameter 
generating method in the algebraic cryptography for 
improving the security of the algebraic curve 
cryptography . 

According to the first aspect of the invention, 
a secure parameter generating device in an algebraic 
curve cryptography, comprises 

an input means for receiving two different prime 
numbers (a, b) specifying degree of complexity of a 
curve and size (n) of an encryption key to be used, 

a Stickelberger element computing device for 
computing a Stickelberger element ( co ) in an ab 
cyclotomic, based on the prime number (a) and the prime 
number (b), 

a Jacobian addition candidate value computing 
device for computing Jacobian addition candidate value j 
corresponding to the two different prime numbers a and b, 
and a prime number p corresponding to the Jacobian 
addition candidate value j , based on the prime number 



(a), the prime number (b), the size (n) of an encryption 
key, and the Stickelberger element (co) , 

an order candidate value computing device for 
computing a class H consisting of a plurality of 
candidate values for order of a Jacobian group of an 
algebraic curve specified by the prime number a and the 
prime number b, based on the prime number a, the prime 
number b, and the Jacobian addition candidate value j, 

a security judging device for searching for a 
candidate value h meeting a security condition such as 
almost prime number characteristic from the class H, 
according to the class H, 

a parameter deciding device for computing a 
parameter of an algebraic curve whose order of the 
Jacobian group is in accord with the candidate value h, 
of the algebraic curves specified by the prime number a, 
the prime number b, and the prime number p, based on the 
prime number a, the prime number b, the prime number p, 
and the candidate value h, and 

an output device for supplying the parameter of 
the algebraic curve computed by said parameter deciding 
device . 

In the preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography further comprises 

an a-storing means, a b-storing means, and an n- 
storing means for respectively storing the prime number 



a, the prime number and the size n of the encryption 
key received by said input means, 

a CO -storing means for storing a Stickelberger 
element co computed by said Stickelberger element 
computing device, 

a p-storing means and a j -storing means for 
respectively storing the prime number p and the Jacobian 
addition candidate value j computed by said Jacobian 
addition candidate value computing device, 

an H-storing means for storing the class H 
computed by said order candidate value computing device, 
and 

an h-storing means for storing the candidate 
value h found by said security judging device. 

In another preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography comprises 

said Stickelberger element computing device for 
computing the Stickelberger element co by use of the 
equation co = [<t/a> + <t/b>] a_{-t"^} (where, t runs 
on a typical series of irreducible residue class with ab 
used as a divisor, [ A ] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A-[A] of the rational number A, 
indicates Galois mapping C ~^ C ^ in the ab cyclotomic 
{K> is the primitive ab root of 1)), based on the prime 
number a and the prime number b. 



In another preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography comprises 

said Jacobian addition candidate value computing 
device for generating o; at random, which is an algebraic 
integer 7 generating a prime ideal of a cyclotomic K 
generated by the primitive ab root of 1 and whose 
absolute norm becomes the prime number p of bit length 
2n/ ( a-1 ) (b-1 ) or so, based on the prime number a, the 
prime number b, the size n of the encryption key, 
and the Stickelberger element co , and computing the 
Jacobian addition candidate value j by use of the 
equation j = 7 . 

In another preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography comprises 

said Stickelberger element computing device for 
computing the Stickelberger element co by use of the 
equation a) = [<t/a> + <t/b>] a_{-t"^} (where, t runs 
on a typical series of irreducible residue class with ab 
used as a divisor, [A] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A -[A] of the rational number A, 
indicates Galois mapping C ^ C ^ in the ab cyclotomic 

is the primitive ab root of 1)), based on the prime 
number a and the prime number b, and 

said Jacobian addition candidate value computing 



device for generating o; at random, which is an algebraic 
integer r generating a prime ideal of a cyclotomic K 
generated by the primitive ab root of 1 and whose 
absolute norm becomes the prime number p of bit length 
2n/ ( a-1 ) (b-1 ) or so, based on the prime number a, the 
prime number b, the size n of the encryption key, 
and the Stickelberger element co , and computing the 
Jacobian addition candidate value j by use of the 
equation j = T ^ . 

In another preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography comprises 

said order candidate value computing device for 
computing a candidate value h^ for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation hj, = Normj^|Q( 1+ (- 
^ )^ j) (where Norm_{K|Q> is a norm mapping in the ab 
cyclotomic K), as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j , and computing the 
class of the candidate values, H={hi,h2,... ,h2ab}* 

In another preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography comprises 

said Stickelberger element computing device for 
computing the Stickelberger element co by use of the 



equation 60 = 2^ [<t/a> + <t/b>] a_{-t'^} (where^ t runs 
on a typical series of irreducible residue class with ab 
used as a divisor, [A] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A-[A] of the rational number A, 
indicates Galois mapping C C ^ in the ab cyclotomic 
(C is the primitive ab root of 1))/ based on the prime 
number a and the prime number b, and 

said order candidate value computing device for 
computing a candidate value h,^ for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation hj^ = Norm^igC 1+ (- 
^ )^ j) (where Norm__{K|Q> is a norm mapping in the ab 
cyclotomic K), as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j , and computing the 
class of the candidate values, H={hi,h2,... fhjab}. 

In another preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography comprises 

said Jacobian addition candidate value computing 
device for generating a at random, which is an algebraic 
integer 7 generating a prime ideal of a cyclotomic K 
generated by the primitive ab root of 1 and whose 
absolute norm becomes the prime number p of bit length 
2n/ ( a-1 ) (b-1 ) or so, based on the prime number a, the 
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prime number b, the size n of the encryption key, 
and the Stickelberger element co , and computing the 
Jacobian addition candidate value j by use of the 
equation j = r'*',and 
5 said order candidate value computing device for 

computing a candidate value h^ for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation h^ = Norrt^|Q( 1+ (- 
C )^ j) (where Norm_{K|Q} is a norm mapping in the ab 
CI 10 cyclotomic K), as for each k that is an integer from 1 

01 to 2ab inclusively, when C is the primitive ab root of 1, 

ill based on the prime number a, the prime number b, and the 

W\ 

gj Jacobian addition candidate value j , and computing the 

Bl 

^ class of the candidate values, H={hi,h2,... /h2ab}- 

n 

15 In another preferred construction, secure 
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parameter generating device in an algebraic curve 
cryptography comprises 

said Stickelberger element computing device for 
computing the Stickelberger element co by use of the 

20 equation CO = [<t/a> + <t/b>] cr_{-t"^} (where, t runs 

on a typical series of irreducible residue class with ab 
used as a divisor, [ A ] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A-[A] of the rational nuit±»er A, 

25 indicates Galois mapping ^ ^ in the ab cyclotomic 

(C is the primitive ab root of 1)), based on the prime 
nuiT±>er a and the prime number b. 



said Jacobian addition candidate value computing 
device for generating a at random, which is an algebraic 
integer r generating a prime ideal of a cyclotomic K 
generated by the primitive ab root of 1 and whose 
absolute norm becomes the prime number p of bit length 
2n/ ( a-1 ) (b-1 ) or so, based on the prime number a, the 
prime number b, the size n of the encryption key, 
and the Stickelberger element co , and computing the 
Jacobian addition candidate value j by use of the 
equation j = T f and 

said order candidate value computing device for 
computing a candidate value h^ for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation h^^ = Norm^iQC 1+ (- 
^ j) (where Norm__{K|Q} is a norm mapping in the ab 
cyclotomic K), as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j , and computing the 
class of the candidate values, H={hi,h2f... ,h2ab>- 

In another preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography comprises 

said parameter deciding device for requiring the 
primitive a root C a ^^id the primitive b root ^ ^ of 1 
with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 



p, and the candidate value generating a random point 
G over an algebraic curve defined by the equation C 
+ C y,"^ 1 = 0 f as for each integer 1 from 1 to a 

inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, Ca^/ ^^id C b"" 
as the parameter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

In another preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography comprises 

said Stickelberger element computing device for 
computing the Stickelberger element co by use of the 
equation co = [<t/a> + <t/b>] o _{-t~^} (where, t runs 
on a typical series of irreducible residue class with ab 
used as a divisor, [ A ] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A-[A] of the rational number A, 
indicates Galois mapping C ^ in the ab cyclotomic 

(C is the primitive ab root of 1)), based on the prime 
number a and the prime number b, and 

said parameter deciding device for requiring the 
primitive a root C a the primitive b root C ^ of 1 

with the prime number p used as the divisor, based on 




the prime number the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation C 
+ C 1 ~ 0 , as for each integer 1 from 1 to a 

inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, Ca^/ ^^^d C b"* 
as the parameter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

In another preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography comprises 

said Jacobian addition candidate value computing 
device for generating a at random, which is an algebraic 
integer T generating a prime ideal of a cyclotomic K 
generated by the primitive ab root of 1 and whose 
absolute norm becomes the prime number p of bit length 
2n/ ( a-1 ) (b-1 ) or so, based on the prime number a, the 
prime number b, the size n of the encryption key, and 
the Stickelberger element co , and computing the 
Jacobian addition candidate value j by use of the 
equation j = T'^, and 

said parameter deciding device for requiring the 
primitive a root C a ^J^d the primitive b root C b of ^ 



with the prime nurnber p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation C 
+ C b"" 1 = 0 / for each integer 1 from 1 to a 

inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, K> J' r and C b"" 
as the parameter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

In another preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography comprises 

said order candidate value computing device for 
computing a candidate value h„ for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation h^ = NormK|Q( 1+ (- 
C )^ 3) (where Norm_{K|Q} is a norm mapping in the ab 
cyclotomic K), as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j , and computing the 
class of the candidate values, H={hi,h2,... fhjab)/ ^nd 

said parameter deciding device for requiring the 
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primitive a root C a ar^d the primitive b root of 1 
with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
5 G over an algebraic curve defined by the equation C 

+ C b"* 1 = 0 / for each integer 1 from 1 to a 

inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, Ca^/ and C 
10 as the parameter of an algebraic curve whose order of 

the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by -the prime number 
a and the prime number b if the result is equal to an 

SI 

OJ identity element in the Jacobian group. 

C"J 15 In another preferred construction, a secure 

pj parameter generating device in an algebraic curve 

m 

cryptography comprises 

said Stickelberger element computing device for 
computing the Stickelberger element co by use of the 

20 equation (x) = [<t/a> + <t/b>] a_{-t"^} (where, t runs 

on a typical series of irreducible residue class with ab 
used as a divisor, [ A ] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A -[A] of the rational number A, 

25 indicates Galois mapping C C ^ in the ab cyclotomic 

(C is the primitive ab root of 1)), based on the prime 
number a and the prime number b. 



said Jacobian addition candidate value computing 
device for generating a at random^ which is an algebraic 
integer T generating a prime ideal of a cyclotomic K 
generated by the primitive ab root of 1 and whose 
absolute norm becomes the prime number p of bit length 
2n/ ( a-1 ) (b-1 ) or so, based on the prime number a, the 
prime number b, the size n of the encryption key, and 
the Stickelberger element co , and computing the 
Jacobian addition candidate value j by use of the 
equation j = 7"^^ and 

said parameter deciding device for requiring the 
primitive a root K> a and the primitive b root C b of 1 
with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation K, ^ 
+ C b"" + 1 = 0 , as for each integer 1 from 1 to a 
inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, K> ^ , and ^ 
as the parameter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

In another preferred construction, a secure 
parameter generating device in an algebraic curve 



cryptography comprises 

said Stickelberger element computing device for 
computing the Stickelberger element co by use of the 
equation co = [<t/a> + <t/b>] a_{-t"^} (where, t runs 
on a typical series of irreducible residue class with ab 
used as a divisor, [ A ] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A-[A] of the rational number A, 
indicates Galois mapping C ~^ C ^ in the ab cyclotomic 
( C is the primitive ab root of 1 ) ) , based on the prime 
number a and the prime number b, 

said order candidate value computing device for 
computing a candidate value h^ for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation hj^ = NormK|Q( 1+ (- 
^ )^ j) (where Norm__{K|Q} is a norm mapping in the ab 
cyclotomic K) , as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j , and computing the 
class of the candidate values , H— {hj , h2 , • • • , h2ab} r and 

said parameter deciding device for requiring the 
primitive a root C a the primitive b root C ^ of 1 

with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation C 




+ C b"* 1 = 0 , as for each integer 1 from 1 to a 

inclusively and each integer iti from 1 to b inclusively ^ 
computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, K> ^ , and 
as the parameter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

In another preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography comprises 

said Jacobian addition candidate value computing 
device for generating ol at random, which is an algebraic 
integer 7 generating a prime ideal of a cyclotomic K 
generated by the primitive ab root of 1 and whose 
absolute norm becomes the prime number p of bit length 
2n/ ( a-1 ) (b-1 ) or so, based on the prime number a, the 
prime number b, the size n of the encryption key, and 
the Stickelberger element co , and computing the 
Jacobian addition candidate value j by use of the 
equation j = T^, 

said order candidate value computing device for 
computing a candidate value hj, for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation hj, = NormK|Q( 1+ (- 
C)'" j) (where Norm_{K|Q} is a norm mapping in the ab 



cyclotomic K), as for each k that is an integer from 1 
to 2ab inclusively^ when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j , and computing the 
class of the candidate values^ H={hi,h2,... /hjab}/ ^^<^ 

said parameter deciding device for requiring the 
primitive a root C a and the primitive b root C b of 1 
with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation C 
+ C 1 = 0 f for each integer 1 from 1 to a 

inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, C , and C b"" 
as the parameter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

In another preferred construction, a secure 
parameter generating device in an algebraic curve 
cryptography comprises 

said Stickelberger element computing device for 
computing the Stickelberger element co by use of the 
equation co = [<t/a> + <t/b>] a_{-t"^} (where, t runs 
on a typical series of irreducible residue class with ab 



used as a divisor, [ A ] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A-[A] of the rational number A, 
indicates Galois mapping C ~^ S ^ in the ab cyclotomic 
(C is the primitive ab root of 1)), based on the prime 
number a and the prime number b, 

said Jacobian addition candidate value computing 
device for generating a at random, which is an algebraic 
integer r generating a prime ideal of a cyclotomic K 
generated by the primitive ab root of 1 and whose 
absolute norm becomes the prime number p of bit length 
2n/(a-l) (b-1) or so, based on the prime number a, the 
prime number b, the size n of the encryption key, and 
the Stickelberger element co , and computing the 
Jacobian addition candidate value j by use of the 
equation j = T^r 

said order candidate value computing device for 
computing a candidate value hj, for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation h,, = Norm^iQC 1+ (- 
C j) (where Norm_{K|Q} is a norm mapping in the ab 
cyclotomic K), as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j, and computing the 
class of the candidate values, H={hi,h2,... fhjab)/ ^rid 

said parameter deciding device for requiring the 



primitive a root C a 't:he primitive b root of 1 

with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation C 
+ C ^ 1 = 0 , as for each integer 1 from 1 to a 

inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, Ca^/ ^^id C b"" 
as the parameter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

According to the second aspect of the invention, 
a secure parameter generating method in an algebraic 
curve, comprises the steps of 

a Stickelberger element computing procedure for 
computing a Stickelberger element co in an ab cyclotomic, 
respectively based on two different prime numbers a and 
b specifying degree of complexity of curve, 

a Jacobian addition candidate value computing 
procedure for computing Jacobian addition candidate 
value j corresponding to the two different prime numbers 
a and b, and a prime number p corresponding to the 
Jacobian addition candidate value j , respectively based 
on the prime number a, the prime number b, the size n of 



an encryption key, and the Stickelberger element co , 

an order candidate value computing procedure for 
computing a class H consisting of a plurality of 
candidate values for order of a Jacobian group of an 
5 algebraic curve specified by the prime number a and the 

prime number b, respectively based on the prime number a, 
the prime number b, and the Jacobian addition candidate 
value j , 

a security judging procedure for searching for a 

P 10 candidate value h meeting a security condition such as 

a' 

almost prime number characteristic from the class H, 
f^l according to the class H, and 

hit 

^} a parameter deciding procedure for computing a 

parameter of an algebraic curve whose order of the 
Cj 15 Jacobian group is in accord with the candidate value h, 

m 

ry of the algebraic curves specified by the prime number a, 

til 

□ the prime number b, and the prime number p, respectively 

CI 

based on the prime number a, the prime number b, the 

prime number p, and the candidate value h, 
2 0 In the preferred construction, a secure 

parameter generating method in an algebraic curve 

cryptography comprises 

a procedure for storing a Stickelberger element 

CO computed by said Stickelberger element computing 
25 procedure into said co -storing means, 

a procedure for respectively storing the prime 

number p and the Jacobian addition candidate value j 
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computed by said Jacobian addition candidate value 
computing procedure into said p-storing means and j- 
storing means, 

a procedure for storing the class H computed by 
5 said order candidate value computing procedure into said 

H-storing means, and 

a procedure for storing the candidate value h 
found by said security judging procedure into said h- 
storing means. 

10 In another preferred construction, a secure 

parameter generating method in an algebraic curve 
cryptography comprises 

said Stickelberger element computing procedure 
Uj for computing the Stickelberger element (x) by use of the 

p 15 equation OJ = [<t/a> + <t/b>] a_{-t"^} (where, t runs 

p.j on a typical series of irreducible residue class with ab 

ill 

used as a divisor, [ A ] indicates the maximum integer not 



m 

m 
m 
m 



exceeding a rational number A, <A> indicates a 

fractional portion A-[A] of the rational number A, 
20 indicates Galois mapping C ^ C in the ab cyclotomic 

(C is the primitive ab root of 1)), based on the prime 

number a and the prime number b. 

In another preferred construction, a secure 

parameter generating method in an algebraic curve 
25 cryptography comprises 

said Jacobian addition candidate value computing 

procedure for generating o: at random, which is an 



algebraic integer r generating a prime ideal of a 
cyclotomic K generated by the primitive ab root of 1 and 
whose absolute norm becomes the prime number p of bit 
length 2n/ ( a-1 ) (b-1 ) or so, based on the prime number a, 
5 the prime number b, the size n of the encryption key, 

and the Stickelberger element o) , and computing the 
Jacobian addition candidate value j by use of the 
equation j = T • 

In another preferred construction, a secure 
P 10 parameter generating method in an algebraic curve 

cryptography comprises 
4;" said Stickelberger element computing procedure 

m for computing the Stickelberger element co by use of the 

m 

equation CO = [<t/a> + <t/b>] a_{-t"^} (where, t runs 
C3 15 on a typical series of irreducible residue class with ab 

m 

f=|| used as a divisor, [ A ] indicates the maximum integer not 

ll exceeding a rational number A, <A> indicates a 

fractional portion A-[A] of the rational number A, 
indicates Galois mapping ^ in the ab cyclotomic 

20 ( C is the primitive ab root of 1)), based on the prime 

number a and the prime number b, and 

said Jacobian addition candidate value computing 
procedure for generating a at random, which is an 
algebraic integer T generating a prime ideal of a 
25 cyclotomic K generated by the primitive ab root of 1 and 

whose absolute norm becomes the prime number p of bit 
length 2n/ ( a-1 ) ( b-1 ) or so, based on the prime number a. 



the prime number b, the size n of the encryption key, 
and the Stickelberger element O) , and computing the 
Jacobian addition candidate value j by use of the 
equation j = 7 . 

In another preferred construction, a secure 
parameter generating method in an algebraic curve 
cryptography comprises 

said order candidate value computing procedure 
for computing a candidate value h^ for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation hj^ = Norm^iQC 1+ (- 
^ )^ j) (where Norm_{K|Q} is a norm mapping in the ab 
cyclotomic K), as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j , and computing the 
class of the candidate values, H={hi,h2,... fh2ab}* 

In another preferred construction, a secure 
parameter generating method in an algebraic curve 
cryptography comprises 

said Stickelberger element computing procedure 
for computing the Stickelberger element co by use of the 
equation CO = [<t/a> + <t/b>] a_{-t"^} (where, t runs 
on a typical series of irreducible residue class with ab 
used as a divisor, [A] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A-[A] of the rational number A, 



indicates Galois mapping C ^ C ^ in the ab cyclotomic 

is the primitive ab root of l))f based on the prime 
number a and the prime number b, and 

said order candidate value computing procedure 
for computing a candidate value hj^ for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation h,^ = NormK|Q( 1+ (- 
^ )^ j) (where Norm_{K|Q> is a norm mapping in the ab 
cyclotomic K), as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j , and computing the 
class of the candidate values, H={hi,h2,... /hjab}- 

In another preferred construction, a secure 
parameter generating method in an algebraic curve 
cryptography comprises 

said Jacobian addition candidate value computing 
procedure for generating ct at random, which is an 
algebraic integer r generating a prime ideal of a 
cyclotomic K generated by the primitive ab root of 1 and 
whose absolute norm becomes the prime number p of bit 
length 2n/ ( a-1 ) (b-1 ) or so, based on the prime number a, 
the prime number b, the size n of the encryption key, 
and the Stickelberger element co , and computing the 
Jacobian addition candidate value j by use of the 
equation j = 7 ^ and 

said order candidate value computing procedure 



for computing a candidate value hj, for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation h„ = NormK[Q( 1+ (- 
C j) (where Norm_{K|Q} is a norm mapping in the ab 
cyclotomic K)^ as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j , and computing the 
class of the candidate values, H-{hi,h2,... fti'2ah} • 

In another preferred construction, a secure 
parameter generating method in an algebraic curve 
cryptography comprises 

said Stickelberger element computing procedure 
for computing the Stickelberger element co by use of the 
equation co = [<t/a> + <t/b>] a_{-t"^} (where, t runs 
on a typical series of irreducible residue class with ab 
used as a divisor, [A] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A-[A] of the rational number A, 
indicates Galois mapping C C ^ in the ab cyclotomic 
(C is the primitive ab root of 1)), based on the prime 
number a and the prime number b, 

said Jacobian addition candidate value computing 
procedure for generating a at random, which is an 
algebraic integer 7 generating a prime ideal of a 
cyclotomic K generated by the primitive ab root of 1 and 
whose absolute norm becomes the prime number p of bit 
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length 2n/(a-l) (b-1 ) or so^ based on the prime number a, 
the prime number b, the size n of the encryption key^ 
and the Stickelberger element O) , and computing the 
Jacobian addition candidate value j by use of the 
5 equation j ~ 7^, and 

said order candidate value computing procedure 
for computing a candidate value hj, for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation hj, = Norm^iQC 1+ (- 
10 ^ )^ 3) (where Norm_{K|Q} is a norm mapping in the ab 

cyclotomic K), as for each k that is an integer from 1 
"rl to 2ab inclusively, when ^ is the primitive ab root of 1, 

yi based on the prime number a, the prime number b, and the 

m 

El Jacobian addition candidate value j , and computing the 

15 class of the candidate values, H={hi,h2,... ,h2ab}* 

PI In another preferred construction, a secure 

W1 

p-j parameter generating method in an algebraic curve 

P 

cryptography comprises 

said parameter deciding procedure for requiring 

20 the primitive a root Ca and the primitive b root C b of 1 

with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation C 

25 + C X*' + 1 = 0 , as for each integer 1 from 1 to a 

inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 



indicated by the point G, and supplying p, Ca^/ ^i^d C b"" 
as the parcuneter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

In another preferred construction, a secure 
parameter generating method in an algebraic curve 
cryptography comprises 

said Stickelberger element computing procedure 
for computing the Stickelberger element co by use of the 
equation co = [<t/a> + <t/b>] a_{-t"^} (where, t runs 
on a typical series of irreducible residue class with ab 
used as a divisor, [ A ] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A-[A] of the rational number A, 
indicates Galois mapping C ^ in the ab cyclotomic 

(C is the primitive ab root of 1)), based on the prime 
number a and the prime number b, and 

said parameter deciding procedure for requiring 
the primitive a root C a ^rid the primitive b root C ^ of 1 
with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation C 
+ C + 1 = 0 / as for each integer 1 from 1 to a 

inclusively and each integer m from 1 to b inclusively. 



computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, Ca^f ^nd C 
as the parameter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

In another preferred construction^ a secure 
parameter generating method in an algebraic curve 
cryptography comprises 

said Jacobian addition candidate value computing 
procedure for generating a at random, which is an 
algebraic integer T generating a prime ideal of a 
cyclotomic K generated by the primitive ab root of 1 and 
whose absolute norm becomes the prime number p of bit 
length 2n/ ( a-1 ) (b-1 ) or so, based on the prime number a, 
the prime number b, the size n of the encryption key, 
and the Stickelberger element co , and computing the 
Jacobian addition candidate value j by use of the 
equation j = T'^r and 

said parameter deciding procedure for requiring 
the primitive a root C a cind the primitive b root C b of 1 
with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation C a^ 
+ +l = Of as for each integer 1 from 1 to a 



inclusively and each integer in from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, Ky ^ , and 
as the parameter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

In another preferred construction, a secure 
parameter generating method in an algebraic curve 
cryptography comprises 

said order candidate value computing procedure 
for computing a candidate value hj^ for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation hj^ = NormK|Q( 1+ (- 
^ )^ 3) (where Norm__{K|Q} is a norm mapping in the ab 
cyclotomic K), as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j , and computing the 
class of the candidate values, H={hi,h2,... fhjab}^ 

said parameter deciding procedure for requiring 
the primitive a root C a and the primitive b root C b of 1 
with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation K> 



+ Cb"" +l = Of for each integer 1 from 1 to a 
inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point and supplying p, C^^, and C b"" 
as the parameter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

In another preferred construction, a secure 
parameter generating method in an algebraic curve 
cryptography comprises 

said Stickelberger element computing procedure 
for computing the Stickelberger element co by use of the 
equation co = [<t/a> + <t/b>] a_{-t"^} (where, t runs 
on a typical series of irreducible residue class with ab 
used as a divisor, [ A ] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A-[A] of the rational number A, 
indicates Galois mapping C ^ C ^ in the ab cyclotomic 
( C is the primitive ab root of 1 ) ) , based on the prime 
number a and the prime number b , 

said Jacobian addition candidate value computing 
procedure for generating a at random, which is an 
algebraic integer 7 generating a prime ideal of a 
cyclotomic K generated by the primitive ab root of 1 and 
whose absolute norm becomes the prime number p of bit 



length 2n/ ( a-1 ) ( b-1 ) or so, based on the prime number a, 
the prime number b, the size n of the encryption key, 
and the Stickelberger element co , and computing the 
Jacobian addition candidate value j by use of the 
equation j - T , and 

said parameter deciding procedure for requiring 
the primitive a root C a cind the primitive b root C ^ of 1 
with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation C 
+ C b"" X*" + 1 = 0 , as for each integer 1 from 1 to a 
inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, Ca^/ ^r^d C b"" 
as the parameter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

In another preferred construction, a secure 
parameter generating method in an algebraic curve 
cryptography comprises 

said Stickelberger element computing procedure 
for computing the Stickelberger element co by use of the 
equation co = E^. [<t/a> + <t/b>] a_{-t"^> (where, t runs 
on a typical series of irreducible residue class with ab 



used as a divisor, [A] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion A-[A] of the rational number A, 
indicates Galois mapping S ~^ C ^ in the ab cyclotomic 
( C is the primitive ab root of 1 ) ) , based on the prime 
number a and the prime number b, 

said order candidate value computing procedure 
for computing a candidate value h^ for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation h,^ = NormK|Q( 1+ (- 
C)^ 3) (where Norm_{K|Q> is a norm mapping in the ab 
cyclotomic K) , as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j , and computing the 
class of the candidate values, H={hi,h2,.-- ,h2ab>f ^^d 

said parameter deciding procedure for requiring 
the primitive a root C a ^nd the primitive b root dy of 1 
with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation C 
+ C X*" + 1 = 0 , as for each integer 1 from 1 to a 
inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, Ca^/ ^nd C b"" 
as the parameter of an algebraic curve whose order of 



the Jacobian group is in accord with the candidate value 

h, of the algebraic curves specified by the prime number 

a and the prime number b if the result is equal to an 

identity element in the Jacobian group. 
5 In another preferred construction, a secure 

parameter generating method in an algebraic curve 

cryptography comprises 

said Jacobian addition candidate value computing 

procedure for generating a at random, which is an 
P 10 algebraic integer r generating a prime ideal of a 

Q] cyclotomic K generated by the primitive ab root of 1 and 

whose absolute norm becomes the prime number p of bit 

m 

PI length 2n/ ( a-1 ) (b-1 ) or so, based on the prime number a, 

^■^ the prime number b, the size n of the encryption key, 

15 and the Stickelberger element co , and computing the 

Jacobian addition candidate value j by use of the 

m 

& equation j = T f 

said order candidate value computing procedure 
for computing a candidate value h,, for the order of the 

2 0 Jacobian group of an algebraic curve specified by the 

parameters a and b, using the equation hj^ = NormK|Q( 1+ (- 
C j) (where Norm_{K|Q} is a norm mapping in the ab 
cyclotomic K), as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 

25 based on the prime number a, the prime number b, and the 

Jacobian addition candidate value j , and computing the 
class of the candidate values, H={hi,h2,... /hj^b)/ ^rid 



said parameter deciding procedure for requiring 
the primitive a root S a ^rid the primitive b root C ^ of 1 
with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation C 
+ Cb"" +1 = 0, as for each integer 1 from 1 to a 
inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point G, and supplying p, Ca^/ ^ 
as the parameter of an algebraic curve whose order of 
the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group. 

In another preferred construction, a secure 
parameter generating method in an algebraic curve 
cryptography comprises 

said Stickelberger element computing procedure 
for computing the Stickelberger element co by use of the 
equation co = [<t/a> + <t/b>] a_{-t"^} (where, t runs 
on a typical series of irreducible residue class with ab 
used as a divisor, [A] indicates the maximum integer not 
exceeding a rational number A, <A> indicates a 
fractional portion of the rational number A, 

indicates Galois mapping C ^ in the ab cyclotomic 

(C is the primitive ab root of 1)), based on the prime 



number a and the prime number b, 

said Jacobian addition candidate value computing 
procedure for generating a at random, which is an 
algebraic integer 7 generating a prime ideal of a 
cyclotomic K generated by the primitive ab root of 1 and 
whose absolute norm becomes the prime number p of bit 
length 2n/ ( a-1 ) ( b-1 ) or so, based on the prime number a, 
the prime number b, the size n of the encryption key, 
and the Stickelberger element co , and computing the 
Jacobian addition candidate value j by use of the 
equation j = T ^ 

said order candidate value computing procedure 
for computing a candidate value h,^ for the order of the 
Jacobian group of an algebraic curve specified by the 
parameters a and b, using the equation h,^ = NormK|Q( 1+ (- 
^ j) (where Norm_{K|Q} is a norm mapping in the ab 
cyclotomic K), as for each k that is an integer from 1 
to 2ab inclusively, when C is the primitive ab root of 1, 
based on the prime number a, the prime number b, and the 
Jacobian addition candidate value j , and computing the 
class of the candidate values, H={hi,h2,... /h2ab}/ cind 

said parameter deciding procedure for requiring 
the primitive a root C ^ cind the primitive b root C b of 1 
with the prime number p used as the divisor, based on 
the prime number a, the prime number b, the prime number 
p, and the candidate value h, generating a random point 
G over an algebraic curve defined by the equation C 



+ C b"" + 1 = 0 , as for each integer 1 from 1 to a 
inclusively and each integer m from 1 to b inclusively, 
computing the h-fold of an element in the Jacobian group 
indicated by the point and supplying p, Ca^f C b"" 

5 as the parameter of an algebraic curve whose order of 

the Jacobian group is in accord with the candidate value 
h, of the algebraic curves specified by the prime number 
a and the prime number b if the result is equal to an 
identity element in the Jacobian group, 

P 10 According to another aspect of the invention, a 

•ill 

fil computer readable memory storing a program for 

iJl generating a secure parameter in an algebraic curve 

m 

cryptography, to run the program on a computer, 

m 

g the program comprises the steps of 

EJ 

p<l 15 a Stickelberger element computing procedure for 

P« computing a Stickelberger element CD in an ab cyclotomic, 

W f 

respectively based on two different prime numbers a and 

CJ 

b specifying degree of complexity of curve, 

a Jacobian addition candidate value computing 

2 0 procedure for computing Jacobian addition candidate 

value j corresponding to the two different prime numbers 
a and b, and a prime number p corresponding to the 
Jacobian addition candidate value j , respectively based 
on the prime number a, the prime number b, the size n of 

25 an encryption key, and the Stickelberger element co , 

an order candidate value computing procedure for 
computing a class H consisting of a plurality of 



PI 


10 


m 








111 

m 




m 




Kl 


15 


m 
m 









20 



candidate values for order of a Jacobian group of an 
algebraic curve specified by the prime number a and the 
prime number b, respectively based on the prime number a^ 
the prime number b, and the Jacobian addition candidate 
value j , 

a security judging procedure for searching for a 
candidate value h meeting a security condition such as 
almost prime number characteristic from the class H, 
according to the class H, and 

a parameter deciding procedure for computing a 
parameter of an algebraic curve whose order of the 
Jacobian group is in accord with the candidate value h, 
of the algebraic curves specified by the prime number a, 
the prime number b^ and the prime number p, respectively 
based on the prime number a, the prime number b, the 
prime number p, and the candidate value h. 

Other objects, features and advantages of the 
present invention will become clear from the detailed 
description given herebelow* 



BRIEF PESCRIPTIQN QF THE DRAWIN GS 
The present invention will be understood more 
fully from the detailed description given herebelow and 
from the accompanying drawings of the preferred 
25 embodiment of the invention, which, however, should not 

be taken to be limitative to the invention, but are for 
explanation and understanding only. 
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In the drawings : 

Fig. 1 is a block diagram showing the form of 
the first embodiment according to the present invention; 

Fig. 2 is a flow chart showing the operation of 
a Stickelberger element computing device; 

Fig. 3 is a flow chart showing an operation of 
the Jacobian additive candidate value computing device; 

Fig. 4 is a flow chart showing the operation of 
the order candidate value computing device; 

Fig. 5 is a flow chart showing the parameter 
deciding device; 

Fig. 6 is a block diagram showing the form of 
the third embodiment of the present invention. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 
The preferred embodiment of the present 
invention will be discussed hereinafter in detail with 
reference to the accompanying drawings. In the following 
description, numerous specific details are set forth in 
order to provide a thorough understanding of the present 
invention. It will be obvious, however, to those skilled 
in the art that the present invention may be practiced 
without these specific details. In other instance, well- 
known structures are not shown in detail in order to 
unnecessary obscure the present invention. 

First, the principle of the present invention 
will be described. 



The present invention is to efficiently search 
for an algebraic curve such that the order of the 
Jacobian group is almost a prime number, from the class 
of an algebraic curve having the definition expression 
such as q;Y^ +/3x*^ + 1 = 0, and to make it possible to use 
a higher and complicated algebraic curve that couldn't 
be used, for an algebraic curve cryptography. Here, the 
parameters a and b indicate the degree of complexity of 
curves . 

The algebraic curve over a finite field Fg of the 
order q, which has the definition expression such as (XY^ 
+ i8x^ + 1 = 0, is defined as C(q, a, (3). As for the 
algebraic curve C(q, a, jS ) , the order of the Jacobian 
group can be designed using the description about its L 
function by use of the Jacobian addition. 

Hereafter, for brief description, assume that 
q : = p (p is expressed by q) is a prime number, and that 
the expression, p = 1 mod LCM(a, b) is satisfied (LCM is 
the least common multiple) . Further, the primitive ab 
root of 1 is defined as C . The prime number p is 
completely factorized into m pieces of prime ideals, P^, 
P2, ... , in a cyclotomic Q( C ) . Here, the number m is 
the number of irreducible residue classes of the divisor 
ab. 

The generator w of the multiplication group Fp* 
of the finite field Fp is fixed, and the index x s of Fp* , 
as for the rational number such that (p"l)s becomes an 
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integer, is defined as Xs(w) = exp ( 2 tt is) (where i is an 
imaginary number) . Assuming that %s(0) = 0 (s: when it 
is not an integer), =1 (s: when it is an integer), the 
domain is expanded on the whole Fp. As for the integer 
5 1=1/ 2, ... , a-1 and the integer m=l, 2, ... , b-1, the 

expression, jp(l/ m) = E_{ 1+Vi+V2=0 } % i/a( ) X ^2 ) is 
called as Jacobian addition. Where, and run on v^, 
V2 meeting the equation 1+Vi+V2=0 . At this time, it 

is well known that the L function Lp(U) of C(p, a, 13) 
10 can be expressed by using the Jacobian addition as 

P follows. 

m 

^] Lp(u) = n,„i, , , b-i (1 + ^i/A 5c 

m 

fii m/b('3'^) jp(lf m) U ) . Therefore, the order h of the 

p 15 Jacobian group of C(p, a, j3 ) is given by h = Lp(l) = n^^i 

El 

m 2 a-1, m=l, 2 b-1 (1 +%l/a( Xn./b( jp(l, ^) )• It iS 

p necessary to calculate the Jacobian addition jp(l, m) , in 

order to require the order of the Jacobian group. 
However, since it is impossible to directly calculate 

20 the Jacobian addition jp(l, m) according to the 

definition expression, from the viewpoint of the volume 
of calculation, the Stickelberger element as for the 
following Jacobian addition is used. 

Assume that [ A ] indicates the maximum integer 

25 not exceeding the rational number A and that <A> 

indicates the fraction part A -[A] of the rational number 
A. Further, assume that indicates the Galois mapping 



C C ^ of the cyclotomic field Q(C)» The Stickelberger 
element co(a, b) that is the generator of the group ring 
Z[Gal(Q(C)| Q)] is defined as (x){a, b) = [<t/a> + 
<t/b>] C7_t"^- Where, t runs on the typical series of the 
irreducible residue class with the divisor ab. 

It is well known that the expression (jp(l/ m) ) = 
pa>(a, b) satisfied as the ideal of the cyclotomic field 
Q( C ) • Where, P is the prime ideal on p. By the above 
expression, jp(lr m) is necessarily resolved except for 
the 2ab root of 1 • Of the results, the degree of freedom 
for ab root can be obtained by the degree of freedom of 
the coefficient a, ^ ^ Fg of C(p, a, )3 ) . 

In these ways, the search algorithm of the 
following secure curve C(p, a, )3 ) can be obtained. 
The search algorithm of the secure curve C(p, Q! , (3) 
input: the number of Jacobian bits n 
output : p, q: , iS 

(1) g ^ (a-l)(b-l)/2 

(2) The candidate j of the Jacobian addition as for the 
prime number p of some n/g bit or the like is searched 
for by using the calculation algorithm of the candidate 
value of the Jacobian addition as described later: 

(p, j) ^ {calculation algorithm of the candidate value 
of the Jacobian addition} ( n/g) . 

(3) as for the respective k=0, 1, ... , ab, 

K "-^1^1. 2 a-1, .= 1, 2 b-1 ( 1 + (-C )^ j) 

(4) Check whether there is an almost prime number hj^ in 



{ h(j, hi, ... , }• If there is none, return to (1). If 

there is, h := h^ is defined • 

(5) The symbols Car respectively defined as a- 

root of 1 and b-root of 1 in F^. Check whether the order 
of the Jacobian group of the curve C(p, Ca^/ Cb"'):Ca^ 
+ C b"* x*" + 1 = 0 is equal to h, as for the respective 1 = 
0, 1, ... , a-1 and the respective m = 0, 1, ... , b-1. 
If it is equal, output p, o;-Ca^/ i3 - C b"" ^rid finish the 
operation. If such 1 and m don't exist, return to (2). 

In the calculation algorithm of the candidate 
value of the Jacobian addition used in the above, the 
candidate value of the Jacobian addition is required by 
using the above-mentioned Stickelberger element co(a, b) 
= [<t/a> + <t/b>] o . 

The calculation algorithm of the candidate value of the 
Jacobian addition is as follows . 
input: the number of bits m, 
output : p , j , 

(1) CO ^ (<t/a> + <t/b>)a_^-', 

(2) Generate To = ^i^o"^'^ ^ ^ ("10 < c^ < 10) at random. 

(3) as for the respective i - 1, 2, ... , 

r ^ To + I. 

p ^ Norm^t^ r ) , 

Is p smaller than m bit or so? 

yes ^ continue. 

Is p larger than m bit or so? 

yes ^ to ( 2 ) , 



Is p a prime number? 
no continue^ 

(4) Output 3^7"^, p and j, and finish. 

This time, the form of the first embodiment of 
the present invention will be described with reference 
to the accompanying drawings. Fig. 1 is a block diagram 
showing the form of the first embodiment. 

With reference to Fig. 1, the form of the first 
embodiment of the present invention comprises a 
Stickelberger element computing device 11, a Jacobian 
addit^ion candidate value computing device 12, an order 
candidate value computing device 13, a security judging 
device 14, a parameter deciding device 15, a memory 16, 
an input device 17, an output device 18, and a central 
processing unit 19. 

The memory 16 includes a a-storing file 161, a 
b-storing file 162, a co-storing file 163, a j-storing 
file 164, an H-storing file 165, an h-storing file 166, 
a p-storing file 167, and an n-storing file 168. 

Hereinafter, assume that a known method is used 
for the norm arithmetic Nq^^^iq and four fundamental 
arithmetic rules of algebraic number in the cyclotomic 
field Q(C), arithmetic of the function of the Galois 
group G(Q( C ) I Q) for the cyclotomic field Q( C ) , and 
addition and multiplication in the group ring Z[G(Q(S)| 
Q)] on the Galois group G(Q( C ) | Q) of the integer ring Z 
coefficient. 



The operation of the form of a first embodiment 
according to the present invention will be described 
this time. 

Fig. 2 is a flow chart showing the operation of 
the Stickelberger element computing device 11. Fig. 3 is 
a flow chart showing the operation of the Jacobian 
addition candidate value computing device 12. Fig. 4 is 
a flow chart showing the operation of the order 
candidate value computing device 13. Fig. 5 is a flow 
chart showing the operation of the parameter deciding 
device 15. 

The description will be made in the case where 
two different prime numbers, a=3, b=7, specifying the 
degree of complexity of a curve, and the size n=160 of 
an encryption key to be used are supplied from the input 
device 17. The supplied a and b are temporarily stored 
in the a-storing file 161 and the b-storing file 162 
respectively, through the central processing unit 19. 
Further, a variable found in the following description 
is stored in the memory 16. 

The Stickelberger element computing device 11 
obtains a=3, b=7 from the a-storing file 161 and the b- 
storing file 162, according to the operation as shown in 
Fig. 2, and operates as follows. 

A typical series {1, 2, 4, 5, 8, 10, 11, 13, 16, 
17, 19, 20} of the irreducible residue class with a*b = 
3X7-21 used for the variable L as the divisor is stored 



in Step S21 of Fig. 2. 

As for the respective integers t included in the 
variable L={1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20} 
in Step 22 of Fig. 2, for example, as for t=l, since 
[<l/3>+<l/7>] = [l/3+l/7]=[10/21]=0, 0 is stored in the 
variable m; since -1"^ = -1 = 20 mod 21, 20 is stored in 
the variable s; since OX 0 = 0, 0 is stored in the 
variable A^. 

As for the other t, since 
[<2/3>+<2/7>]=[2/3+2/7]=[20/21]=0, 0 is stored in the 
variable A 2; since [<4/3>+<4/7>] = [ 1/3+4/7 ] = [ 19/2 1 ]=0 , 0 
is stored in the variable A 4; since 

[<5/3>+<5/7>] = [2/3 + 5/7] = [29/21]=l and (-5)"' = 16'' = 4 
mod 21,0413 stored in the variable A 5; since 
[<8/3>-*-<8/7>] = [2/3 + l/7] = [ 17/21]=0, 0 is stored in the 
variable A 8,- since [<10/3>+<10/7>] = [ 1/3+3/7 ] = [ 16/21 ]=0, 0 
is stored in the variable A^q; since 

[<ll/3>+<ll/7>]=[2/3+4/7]=t26/21]=l and (-11)"' = 10"' = 
19 mod 21, a 19 is stored in the variable A^; since 
[<13/3>+<13/7>]=[l/3+6/7]=[25/21]=l and (-13)*' = 8"' = 
8mod 21, Oq is stored in the variable A13; since 
[<16/3>+<16/7>]=[l/3+2/7]=[13/21]=0, 0 is stored in the 
variableA,6 ; since [<17/3>+<17/7>]=[ 2/3+3/7 ]=[ 23/21 ]=1 
and (-17)'^ = 4*' = 16 mod 21, a is stored in the 
variable A^^; since [<19/3>+<19/7>]=[ 1/3+5/7 ]=[22/21 ]=1 
and (-19)"' ^ 2"' = 11 mod 21, a is stored in the 
variable A^^; and since 



[<20/3>+<20/7>] = [2/3 + 6/7] = [32/21]=l and (-20)"' = 1-^=1 
mod 21, a 1 is stored in the variable ^20f "the same way. 

The total CO = a^^ o + o o ^ of 

the whole data stored in the respective variables A^, 
A 4, A 5, Ag, A All, ^i3f ^^16/ ^i7f ^19/ ^20 is computed 
in Step S23 of Fig. 2. Here, the total means the total 
in the group ring Z [G(Q(C)| Q)]f indicating the total 
of the coefficients of the respective with the 

respective regarded as symbols. The arithmetic result 
CO is temporarily stored in the co -storing file 163 
through the central processing unit 19. 

The Jacobian addition candidate value computing 
device 12 obtains a=3, b=7 , n=160, co=o^ + ^ 19 + <^ s <^ le 
+ a 11 + a 1 from the a-storing file 161, the b-storing 
file 162, the n-storing file 168, and the co-storing file 
163 and computes the candidate value j of the Jacobian 
addition, according to the processing as shown in Fig. 3, 
as follows. 

Since ab=21, the primitive power root of 1 

is stored in the variableCf and since 2n / (a-l)(b-l) = 
26.6... , 27 is stored in the variable m, in Step 31 of 
Fig. 3. 

The random integer of the cyclotomic field Q( C ) 
is stored in the variable To follow, in Step S32 of 
Fig. 3. The variable To is initialized to 0; the random 
number ro = -2 is generated as for t=0, ro C ° = -2 is 



added to To/ so to require Tq--2; the random number r^ = 

2 is generated as for t=l, r^ S ^ = 2 C is added to Tof 
so to require ro'=-2 + 2C; and the same operation is 
repeated until t-11, so to require ro = -2 + 2C-C^ + 2C 

3 + - C - C'-2 C' + 2C' - in Step S32 of Fig. 
3. 

The following operation will be performed on the 
respective integers i=0, 1, 2, ... , in Step S33 of Fig. 
3. As for i=0. To + 0 is stored in the variable T r so 
to obtain r = -2 + 2C-^' + 2C' + 2C' - - - 2 
+ 2 C ^ - £ to compute the norm Nq^^jiqCT)- The 
resultant 129571513 is stored in the p-storing file 167, 
the number of bits 29 of p = 129571513 is stored in the 
variable 1. That 1=29 and m=27 or so is confirmed. When 
p = 129571513 is factorized into prime factors in the 
known way, p = 129571513 = 43 X 211 X 14281 is obtained. 
Since p = 129571513 is not a prime number, the operation 
as for i = 0 is finished, and as for i =1, the same 
operation will be repeated. In the form of this 
embodiment, the same operation is continued until i = 2. 
As for i=2, ro+2is stored in the variable T, so to 
obtain r = 2C-C' + 2C' + - - - + 2C^ - C 

,to compute the norm NQ(^,|Q(r). The resultant 
163255597 is stored in the p-storing file 167, and the 
number of bits 28 of p = 163255597 is stored in the 
variable 1. Since 1=28 and m=27 or so, and p = 163255597 
is determined as a prime number (a known method is used 



for judgment of a prime number), the operation of Step 
S33 will be finished. 

In Step S3 4 of Fig. 3, the Stickelberger element 
00=0 4 + C7i9+ (^8 + a CTi is adopted to work on 

the value 2C-C' + 2C' + 2C^"C'-C'-2C' + 2C'-C^' 
of the variable T and the result is stored in the j- 
storing file 164. 

Namely, since j = o ,( j ) o j ) o ^{ r ) o r ) o 
ii{r)0,{T) = -11346 + 4158 C + 9337 C - 10930 C' + 3060 C 
' + 11132C' - 1408 C' - lOOOOC' + 7506 C' + 1237 C - 9894 
C + 16406 C'S the content of the j-storing file 164 
becomes -11346 + 4158 C + 9337 C - 10930 + 3060 C + 
11132C' - 1408 C' - lOOOOC' + 7506 C' + 1237 C - 9894 C'° 
+ 16406 

The order candidate value computing device 13 
obtains a, b, j respectively from the a-storing file 161, 
the b-storing file 162, and the j-storing file 164, 
according to the processing as shown in Fig. 4, and 
computes each candidate value for the order of the 
Jacobian group, as follows. 

Since ab=21, the primitive 21^^ power root of 1 
is stored in the variable in Step S41 of Fig. 4. 

In Step S42 of Fig. 4, Nq^^jjq (1 + (-C)*" j) is 
computed as for the respective integers k=l, ... , 2ab=42, 
by using the Jacobian addition candidate value j , and 
the result is stored in the variable h^. Namely, since 
Nq(C,i q (1 + (-C ) j) 



=18945750554224674862720917379214050968749547249577 as 
for k=l, 

189457505542 24674862720917379214050968749547249577 is 
stored in the variable hi, and since Nq<j)| q (1 + (-C )^ 
= 18928969305265796978830941938772180777050417721949 a 
for k=2, 

1892 89693052 65796978830941938772180777050417721949 is 
stored in the variable hj. 

Hereinafter, in the same way, 
18939442397757559639176586128404383479076142135761 is 
stored in the variable hj; 

18935060345406437247984249590121980321244862496761 is 
stored in the variable h4; 

18935622676852726684902 8169706124702 37474541809664 is 
stored in the variable hg; 

18931936903665705475581647305574444786263237069081 is 
stored in the variable hg; 

1892 95606547 7186010138331818599767411692962 6012889 is 
stored in the variable h7; 

189391502036502501861663152421263557867 99280592469 is 
stored in the variable hg; 

189326758072 73674693936115572103379669380378369473 is 
stored in the variable hg; 

18942309965821405414970614992239749691042 375170033 is 
stored in the variable h^o; 

18934229290635176830764035532046510839791719442389 is 



stored in the variable h^; 

18935834172588603026508807514961653603431968293369 is 
stored in the variable hi2; 

1893807 874305394594783193213483589967 89690807102 81 is 
stored in the variable h^^} 

18930980854114698521197692 341107826796840225368461 is 
stored in the variable h^^} 

1892592 63484821260467 97408190951930473609373791353 is 
stored in the variable h^^; 

1893622 9724314338327608155999193464492913218459633 is 
stored in the variable h^g; 

189353890982 784874952 05740285052 81217094387 882 3253 is 
stored in the variable h^^; 

189316915677 81542 99805089652257135802 737444566507 3 is 
stored in the variable h^g; 

189327341806109261081667 036090492 07716180145717849 is 
stored in the variable h^^; 

189386644117437248158037 8459376180146157970564 7693 is 
stored in the variable h2o; 

18933942 752770105179837989473472080616474423254969 is 
stored in the variable h2i; 

18919302 9863357 7736704954 0268484273861903106390 769 is 
stored in the variable h22; 

189360753968852 70373781711765180522497408613713621 is 
stored in the variable hja; 

18925604328984592629627465194343191206594160037073 is 
stored in the variable h24; 



1892 99848637884187518361562 617122993720832 31633577 is 
stored in the variable hjs; 

18929422531793648170111228339741198150094983499776 is 
stored in the variable hjg; 

18933107954541528865152848804062672753166448460761 is 
stored in the variable hj,; 

18935483634705487053043563594391048299333735703993 is 
stored in the variable hze; 

18925896848340062851972136696783348221127455098349 is 
stored in the variable hjg; 

189323684904752 05159124453933007681555744686326777 is 
stored in the variable hjo; 

189227393368644487427502 81538719599103232 717642873 is 
stored in the variable hj^; 

18930815175217344826609492375186423724694 014551957 is 
stored in the variable hjj; 

18929210510360406226057659372472230885175421077009 is 
stored in the variable h^^j 

189269673279367301782 50537884862137815188718140673 is 
stored in the variable h34; 

18934063763272126450623787600233843527396400812437 is 
stored in the variable h^^; 

1893912 05597618768010542 92506881700885415287701041 is 
stored in the variable hjg; 

18928816315710623530089460607608797337081800632473 is 
stored in the variable h^-,; 

1892965653857 0982720438072 809652072203857 571941789 is 



stored in the variable hjg; 

18933352933862176606331230531189579186007983024249 is 
stored in the variable h^^; 

189323106632 74994445599743180032079937147687805121 is 
stored in the variable h4o; 

1892 63819457 02 72 64 06182 624 5570223441130379579917 09 is 
stored in the variable h4i; and 

18931102 6817 8909507222 967 6262975577344314266433617 is 
stored in the variable h^2^ respectively. 

Finally, the order candidate value computing 
device 13 combines the contents of the variables hi to h4 
together as H and stores the same into the H-storing 
file 165. 

The security judging device 14 obtains the H 
from the H-storing file 165, and searches for a 
candidate value h meeting the security condition of 
almost prime number characteristic from the order 
candidate values h^, h2, ... , h42 included in the H, and 
stores the same into the h-storing file 166, In this 
form of the embodiment, for brief description, the 
security condition is considered as for the almost prime 
number characteristic. By use of the known prime number 
judging method, h^ = 

18934229290635176830764035532046510839791719442389 is 
judged to be a prime number, and the security judging 
device 14 stores h = h^ = 



1893422 92 90635176830764035532 046510839791719442389 into 
the h-storing file 166. 

The parameter deciding device 15 obtains a, b, p 
and h respectively from the a-storing file 161, the b- 
storing file 162, the p-storing file 167, and the h- 
storing file 166, and operates according to the 
processing as shown in Fig. 5. 

In Step S51 of Fig. 5, 127994587 that is the 
primitive 3"^"^ power root of 1 with p = 163255597 used as 
the divisor is stored in the variable and 8342648 

that is the primitive 7*"^ power root of 1 with p = 
163255597 used as the divisor is stored in the variable 

In Step S52 of Fig. 5, the following processing 
will be performed on the respective integers 1=1, 2, 3 
and the respective integers m=l, 2, 3, 4, 5, 6, 7. 

When 1=1 and m=l, C3 = 127994587 is stored in 
the variable s , and C7 = 8342648 is stored in the 
variable V . The random element {151707017 + 104678491 x 
+ 123646083 + 18753988 y + 87634493 x^ + 61274336 x y 
+ x', 138799785 + 145105684 x + 584395 x^ + 80828873 y + 
34715892 x' + 121885874 x y + 59787844 x' + x^ y, 
161162224 + 117150097 x + 100956100 x^ + 89380061 y + 
140032555 x^ + 43367019 x y + y^ } of the Jacobian group 
of an algebraic curve defined by the expressions y^ + 7? 



x' + 1 = 127994587 + 8342648 x' + 1 = 0 is generated, 
and this is stored in the variable G, the power of 
h=18934229290635 17 6830764035532 0465 108397917 19442389 in 
the Jacobian group, on a point stored in the variable G 
is computed, and the result {133659497 + 103424746 x + 
136032897 x^ + 131029199 y + 24618867 x' + 114944034 x y 
+ X*, 86125426 + 125891893 x + 19568269 x' + 27044314 y + 
80420960 x^ + 137562092 x y + x^ y, 53604112 + 65990501 x 
+ 51269221 x^ + 55271502 y + 7974233 x^ + 84922220 x y + 
y^ } is stored in the variable G. 

Since the above content of the variable G is not 
equal to the identity element {} in the Jacobian group, C 
3 = 127994587 is stored in the variable S, and Z ^^ = 
8342648^ mod 163255597 = 159772073 is stored in the 
variable V , as for 1=1 and m = 2, thereby repeating 
the above processing. 

In the case of the form of this embodiment, when 
1 =2 and m=2 , e = 35261009 and 7? = 159772073 are 
obtained, the power of 

h=189342292 90635 17 68307640355320465 108397 9 17 19442389 on 
the point G = {4568071 + 141843715 x + 68256743 x^ + 
71903501 y + 128953783 x^ + 10781960 x y + x", 48272788 + 
45615229 x + 150692034 x^ + 53973350 y + 11114765 x^ + 
78550130 X y + 61331354 x* + x^ y, 117552807 + 135448907 
x + 64074711 x^ + 141058974 y + 49208246 x^ + 93940317 x 
y } generated at random results in the identity 

element {}, and the parameter deciding device 15 



supplies p=163255597, £=35261009, r?=159772073 as the 
parameters of a secure algebraic curve. 

Finally, the parameters p=163255597, £=35261009, 
77=159772073 supplied by the parameter deciding device 15 
are supplied from the output device 18. 

This time, the form of a second embodiment 
according to the present invention will be described in 
detail . 

The form of the second embodiment according to 
the present invention is a secure parameter generating 
method in an algebraic curve cryptography, comprising: 

(a) a Stickelberger element computing procedure of 
requiring the prime numbers a and b respectively from 
the a-storing file 161 and the b-storing file 162 and 
computing the Stickelberger element (x> in the ab portion 
of the cyclotomic field; 

(b) a procedure of storing the Stickelberger element a) 
computed in the above Stickelberger element computing 
procedure into the O) -storing file 163; 

(c) a Jacobian addition candidate value computing 
procedure of requiring the prime number a, the prime 
number b, the size n of an encryption key, and the 
Stickelberger element co respectively from the a-storing 
file 161, the b-storing file 162, the n-storing file 168, 
and CO -storing file 163 and computing the Jacobian 
addition candidate value j as for the two different 
prime numbers a and b and the prime number p 



corresponding to the Jacobian addition candidate value 

j; 

(d) a procedure of storing the prime number p and the 
Jacobian addition candidate value j computed in the 
above Jacobian addition candidate value computing 
procedure, respectively into the p-storing file 167 and 
the j-storing file 164; 

(e) an order candidate value computing procedure of 
requiring the prime number a, the prime number b, and 
the Jacobian candidate value j respectively from the a- 
storing file 161, the b-storing file 162, and the j- 
storing file 164 and computing the class H consisting of 
a plurality of candidate values for the order of the 
Jacobian group of the algebraic curve specified by the 
prime number a and the prime number b; 

(f) a procedure of storing the class H computed in the 
above order candidate value computing procedure into the 
H-storing file 165; 

(g) a security judging procedure of requiring the class 
H from the H-storing file 165 and searching for the 
candidate value h meeting the security condition such as 
almost prime number characteristic; 

(h) a procedure of storing the candidate value h found 
in the above security judging procedure, into the h- 
storing file 166; and 

(i) a parameter deciding procedure of requiring the 
prime number a, the prime number b, the prime number p. 



and the candidate value h respectively from the a- 
storing file 161, the b-storing file 162, the p-storing 
file 167, and the h-storing file 166 and computing a 
parameter of an algebraic curve whose order of the 
Jacobian group is in accord with the candidate value h, 
of the algebraic curves specified by the prime number a, 
the prime number b, and the prime number p. 

The form of a third embodiment according to the 
present invention will be described in detail with 
reference to the drawings, this time. Fig. 6 is a block 
diagram showing the form of the third embodiment 
according to the present invention. 

With reference to Fig. 6, the form of the third 
embodiment of the present invention is a storing medium 
130 for storing a program for running the respective 
procedures according to the form of the second 
embodiment of the present invention, on a computer 100. 
This program is executed after being loaded in a storage 
of the computer 100. 

The present invention is effective in enabling 
the use of a higher and complicated algebraic curve 
which couldn't be used, for an algebraic curve 
cryptography, and improving the security of the 
algebraic curve cryptography. This is because an 
algebraic curve having a prime number substantially as 
the order of the Jacobian group can be found efficiently 
from the class of algebraic curves having the following 



# • 



definition equation; a +)3x^ + 1 = 0, thereby expanding 
the range of the usable algebraic curves and dispersedly 
increasing the decoding work of a hacker. 

Although the invention has been illustrated and 
described with respect to exemplary embodiment thereof, 
it should be understood by those skilled in the art that 
the foregoing and various other changes, omissions and 
additions may be made therein and thereto, without 
departing from the spirit and scope of the present 
invention. Therefore, the present invention should not 
be understood as limited to the specific embodiment set 
out above but to include all possible embodiments which 
can be embodies within a scope encompassed and 
equivalents thereof with respect to the feature set out 
in the appended claims. 



